/*      */ package com.zimbra.cs.service.admin;
/*      */ 
/*      */ import com.google.common.collect.Lists;
/*      */ import com.google.common.collect.Maps;
/*      */ import com.zimbra.common.account.Key.AccountBy;
/*      */ import com.zimbra.common.account.Key.DomainBy;
/*      */ import com.zimbra.common.service.ServiceException;
/*      */ import com.zimbra.common.util.Log;
/*      */ import com.zimbra.common.util.ZimbraLog;
/*      */ import com.zimbra.cs.account.AccessManager;
/*      */ import com.zimbra.cs.account.AccessManager.AttrRightChecker;
/*      */ import com.zimbra.cs.account.Account;
/*      */ import com.zimbra.cs.account.AccountServiceException;
/*      */ import com.zimbra.cs.account.Alias;
/*      */ import com.zimbra.cs.account.AttributeClass;
/*      */ import com.zimbra.cs.account.AttributeManager;
/*      */ import com.zimbra.cs.account.AuthToken;
/*      */ import com.zimbra.cs.account.CalendarResource;
/*      */ import com.zimbra.cs.account.Cos;
/*      */ import com.zimbra.cs.account.DistributionList;
/*      */ import com.zimbra.cs.account.Domain;
/*      */ import com.zimbra.cs.account.DynamicGroup;
/*      */ import com.zimbra.cs.account.Entry;
/*      */ import com.zimbra.cs.account.NamedEntry;
/*      */ import com.zimbra.cs.account.NamedEntry.CheckRight;
/*      */ import com.zimbra.cs.account.Provisioning;
/*      */ import com.zimbra.cs.account.accesscontrol.ACLAccessManager;
/*      */ import com.zimbra.cs.account.accesscontrol.AccessControlUtil;
/*      */ import com.zimbra.cs.account.accesscontrol.AdminRight;
/*      */ import com.zimbra.cs.account.accesscontrol.AttrRight;
/*      */ import com.zimbra.cs.account.accesscontrol.GlobalAccessManager;
/*      */ import com.zimbra.cs.account.accesscontrol.GranteeType;
/*      */ import com.zimbra.cs.account.accesscontrol.HardRules;
/*      */ import com.zimbra.cs.account.accesscontrol.HardRules.HardRule;
/*      */ import com.zimbra.cs.account.accesscontrol.PseudoTarget;
/*      */ import com.zimbra.cs.account.accesscontrol.Right;
/*      */ import com.zimbra.cs.account.accesscontrol.Right.RightType;
/*      */ import com.zimbra.cs.account.accesscontrol.RightCommand.AllEffectiveRights;
/*      */ import com.zimbra.cs.account.accesscontrol.RightCommand.DomainedRightsByTargetType;
/*      */ import com.zimbra.cs.account.accesscontrol.RightCommand.EffectiveRights;
/*      */ import com.zimbra.cs.account.accesscontrol.RightCommand.RightAggregation;
/*      */ import com.zimbra.cs.account.accesscontrol.RightCommand.RightsByTargetType;
/*      */ import com.zimbra.cs.account.accesscontrol.Rights.Admin;
/*      */ import com.zimbra.cs.account.accesscontrol.TargetType;
/*      */ import com.zimbra.cs.account.names.NameUtil.EmailAddress;
/*      */ import com.zimbra.soap.DocumentHandler;
/*      */ import com.zimbra.soap.ZimbraSoapContext;
/*      */ import com.zimbra.soap.admin.type.GranteeSelector.GranteeBy;
/*      */ import java.util.EnumSet;
/*      */ import java.util.HashMap;
/*      */ import java.util.HashSet;
/*      */ import java.util.List;
/*      */ import java.util.Map;
/*      */ import java.util.Set;
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */ public abstract class AdminAccessControl
/*      */ {
/*      */   protected AccessManager mAccessMgr;
/*      */   protected ZimbraSoapContext mZsc;
/*      */   protected Account mAuthedAcct;
/*      */   protected AuthToken mAuthToken;
/*      */   
/*      */   public static AdminAccessControl getAdminAccessControl(ZimbraSoapContext zsc)
/*      */     throws ServiceException
/*      */   {
/*   99 */     Account authedAcct = DocumentHandler.getAuthenticatedAccount(zsc);
/*  100 */     AuthToken authToken = zsc.getAuthToken();
/*  101 */     return newAdminAccessControl(zsc, authToken, authedAcct);
/*      */   }
/*      */   
/*      */ 
/*      */ 
/*      */   public abstract boolean hasRight(Entry paramEntry, Object paramObject)
/*      */     throws ServiceException;
/*      */   
/*      */ 
/*      */   public static AdminAccessControl getAdminAccessControl(AuthToken authToken)
/*      */     throws ServiceException
/*      */   {
/*  113 */     String acctId = authToken.getAccountId();
/*  114 */     Account authedAcct = Provisioning.getInstance().get(Key.AccountBy.id, acctId);
/*  115 */     if (authedAcct == null)
/*  116 */       throw ServiceException.AUTH_REQUIRED();
/*  117 */     return newAdminAccessControl(null, authToken, authedAcct);
/*      */   }
/*      */   
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */   public abstract boolean isSufficientAdminForSoap(Map<String, Object> paramMap, DocumentHandler paramDocumentHandler);
/*      */   
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */   public abstract boolean isSufficientAdminForZimletFilterServlet();
/*      */   
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */   public static boolean isAdequateAdminAccount(Account acct)
/*      */   {
/*  155 */     return AccessManager.getInstance().isAdequateAdminAccount(acct);
/*      */   }
/*      */   
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */   public abstract void checkModifyAttrs(AttributeClass paramAttributeClass, Map<String, Object> paramMap)
/*      */     throws ServiceException;
/*      */   
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */   public abstract void checkSetAttrsOnCreate(TargetType paramTargetType, String paramString, Map<String, Object> paramMap)
/*      */     throws ServiceException;
/*      */   
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */   public abstract boolean hasRightsToList(NamedEntry paramNamedEntry, AdminRight paramAdminRight, Object paramObject)
/*      */     throws ServiceException;
/*      */   
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */   public abstract boolean hasRightsToListCos(Cos paramCos, AdminRight paramAdminRight, Object paramObject)
/*      */     throws ServiceException;
/*      */   
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */   public abstract void checkRight(Entry paramEntry, Object paramObject)
/*      */     throws ServiceException;
/*      */   
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */   public abstract void checkCosRight(Cos paramCos, Object paramObject)
/*      */     throws ServiceException;
/*      */   
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */   public abstract void checkAccountRight(AdminDocumentHandler paramAdminDocumentHandler, Account paramAccount, Object paramObject)
/*      */     throws ServiceException;
/*      */   
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */   public abstract void checkCalendarResourceRight(AdminDocumentHandler paramAdminDocumentHandler, CalendarResource paramCalendarResource, Object paramObject)
/*      */     throws ServiceException;
/*      */   
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */   public abstract void checkDistributionListRight(AdminDocumentHandler paramAdminDocumentHandler, DistributionList paramDistributionList, Object paramObject)
/*      */     throws ServiceException;
/*      */   
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */   public abstract void checkDynamicGroupRight(AdminDocumentHandler paramAdminDocumentHandler, DynamicGroup paramDynamicGroup, Object paramObject)
/*      */     throws ServiceException;
/*      */   
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */   public abstract void checkDomainRightByEmail(AdminDocumentHandler paramAdminDocumentHandler, String paramString, AdminRight paramAdminRight)
/*      */     throws ServiceException;
/*      */   
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */   public abstract void checkDomainRight(AdminDocumentHandler paramAdminDocumentHandler, String paramString, Object paramObject)
/*      */     throws ServiceException;
/*      */   
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */   public abstract void checkDomainRight(AdminDocumentHandler paramAdminDocumentHandler, Domain paramDomain, Object paramObject)
/*      */     throws ServiceException;
/*      */   
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */   public abstract AccessManager.AttrRightChecker getAttrRightChecker(Entry paramEntry)
/*      */     throws ServiceException;
/*      */   
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */   public abstract AccessManager.AttrRightChecker getAttrRightChecker(Entry paramEntry, Set<HardRules.HardRule> paramSet)
/*      */     throws ServiceException;
/*      */   
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */   private AdminAccessControl(AccessManager accessMgr, ZimbraSoapContext zsc, AuthToken authToken, Account authedAcct)
/*      */   {
/*  284 */     this.mAccessMgr = accessMgr;
/*  285 */     this.mZsc = zsc;
/*  286 */     this.mAuthToken = authToken;
/*  287 */     this.mAuthedAcct = authedAcct;
/*      */   }
/*      */   
/*      */   private static AdminAccessControl newAdminAccessControl(ZimbraSoapContext zsc, AuthToken authToken, Account authedAcct)
/*      */   {
/*  292 */     AccessManager accessMgr = AccessManager.getInstance();
/*      */     
/*  294 */     if (accessMgr.getClass() == ACLAccessManager.class)
/*  295 */       return new ACLAccessControl(accessMgr, zsc, authToken, authedAcct, null);
/*  296 */     if (accessMgr.getClass() == GlobalAccessManager.class) {
/*  297 */       return new GlobalAccessControl(accessMgr, zsc, authToken, authedAcct, null);
/*      */     }
/*  299 */     return new DomainAccessControl(accessMgr, zsc, authToken, authedAcct, null);
/*      */   }
/*      */   
/*      */   public boolean isDomainAdminOnly()
/*      */   {
/*  304 */     return this.mAccessMgr.isDomainAdminOnly(this.mAuthToken);
/*      */   }
/*      */   
/*      */   static boolean isDomainBasedAccessManager(AccessManager am) {
/*  308 */     return !(am instanceof ACLAccessManager);
/*      */   }
/*      */   
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */   protected void checkDomainStatus(Entry target)
/*      */     throws ServiceException
/*      */   {
/*      */     Domain domain;
/*      */     
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */     Domain domain;
/*      */     
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*  332 */     if ((target instanceof Domain)) {
/*  333 */       domain = (Domain)target;
/*      */     } else {
/*  335 */       domain = TargetType.getTargetDomain(Provisioning.getInstance(), target);
/*      */     }
/*      */     
/*      */ 
/*  339 */     this.mAccessMgr.checkDomainStatus(domain);
/*      */   }
/*      */   
/*      */   protected void soapOnly() throws ServiceException {
/*  343 */     if (this.mZsc == null) {
/*  344 */       throw ServiceException.FAILURE("internal error, called from non-SOAP servlet", null);
/*      */     }
/*      */   }
/*      */   
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */   private static class DomainAccessControl
/*      */     extends AdminAccessControl
/*      */   {
/*      */     private DomainAccessControl(AccessManager accessMgr, ZimbraSoapContext zsc, AuthToken authToken, Account authedAcct)
/*      */     {
/*  357 */       super(zsc, authToken, authedAcct, null);
/*      */     }
/*      */     
/*      */ 
/*      */ 
/*      */     public boolean isSufficientAdminForSoap(Map<String, Object> soapCtxt, DocumentHandler handler)
/*      */     {
/*  364 */       if (this.mAuthToken.isAdmin()) {
/*  365 */         return true;
/*      */       }
/*      */       
/*      */ 
/*  369 */       boolean ok = (handler.domainAuthSufficient(soapCtxt)) && (this.mAuthToken.isDomainAdmin());
/*  370 */       return ok;
/*      */     }
/*      */     
/*      */     public boolean isSufficientAdminForZimletFilterServlet()
/*      */     {
/*  375 */       return (this.mAuthToken.isAdmin()) || (this.mAuthToken.isDomainAdmin());
/*      */     }
/*      */     
/*      */     public void checkModifyAttrs(AttributeClass attrClass, Map<String, Object> attrs)
/*      */       throws ServiceException
/*      */     {
/*  381 */       for (String attrName : attrs.keySet()) {
/*  382 */         if ((attrName.charAt(0) == '+') || (attrName.charAt(0) == '-')) {
/*  383 */           attrName = attrName.substring(1);
/*      */         }
/*  385 */         if (!AttributeManager.getInstance().isDomainAdminModifiable(attrName, attrClass)) {
/*  386 */           throw ServiceException.PERM_DENIED("can not modify attr: " + attrName);
/*      */         }
/*      */       }
/*      */     }
/*      */     
/*      */ 
/*      */ 
/*      */ 
/*      */     public void checkSetAttrsOnCreate(TargetType targetType, String entryName, Map<String, Object> attrs)
/*      */       throws ServiceException
/*      */     {}
/*      */     
/*      */ 
/*      */ 
/*      */ 
/*      */     public boolean hasRightsToList(NamedEntry target, AdminRight listRight, Object getAttrRight)
/*      */       throws ServiceException
/*      */     {
/*  404 */       return true;
/*      */     }
/*      */     
/*      */     public boolean hasRightsToListCos(Cos target, AdminRight listRight, Object getAttrRight)
/*      */       throws ServiceException
/*      */     {
/*      */       boolean hasRight;
/*      */       boolean hasRight;
/*  412 */       if (isDomainAdminOnly()) {
/*  413 */         hasRight = this.mAccessMgr.canAccessCos(this.mAuthToken, target);
/*      */       } else {
/*  415 */         hasRight = true;
/*      */       }
/*      */       
/*  418 */       return hasRight;
/*      */     }
/*      */     
/*      */     public boolean hasRight(Entry target, Object needed) throws ServiceException
/*      */     {
/*  423 */       return false;
/*      */     }
/*      */     
/*      */     public void checkRight(Entry target, Object needed)
/*      */       throws ServiceException
/*      */     {}
/*      */     
/*      */     public void checkCosRight(Cos cos, Object needed)
/*      */       throws ServiceException
/*      */     {
/*  433 */       if ((isDomainAdminOnly()) && 
/*  434 */         (!this.mAccessMgr.canAccessCos(this.mAuthToken, cos))) {
/*  435 */         throw ServiceException.PERM_DENIED("can not access cos");
/*      */       }
/*      */     }
/*      */     
/*      */ 
/*      */     public void checkAccountRight(AdminDocumentHandler handler, Account account, Object needed)
/*      */       throws ServiceException
/*      */     {
/*  443 */       soapOnly();
/*      */       
/*  445 */       if (!handler.canAccessAccount(this.mZsc, account)) {
/*  446 */         throw ServiceException.PERM_DENIED("can not access account");
/*      */       }
/*      */       
/*  449 */       if ((isDomainAdminOnly()) && ((needed instanceof Map))) {
/*  450 */         checkModifyAttrs(AttributeClass.account, (Map)needed);
/*      */       }
/*      */     }
/*      */     
/*      */     public void checkCalendarResourceRight(AdminDocumentHandler handler, CalendarResource cr, Object needed)
/*      */       throws ServiceException
/*      */     {
/*  457 */       soapOnly();
/*      */       
/*  459 */       if (!handler.canAccessAccount(this.mZsc, cr)) {
/*  460 */         throw ServiceException.PERM_DENIED("can not access calendar resource");
/*      */       }
/*      */       
/*  463 */       if ((isDomainAdminOnly()) && ((needed instanceof Map))) {
/*  464 */         checkModifyAttrs(AttributeClass.calendarResource, (Map)needed);
/*      */       }
/*      */     }
/*      */     
/*      */     public void checkDistributionListRight(AdminDocumentHandler handler, DistributionList dl, Object needed)
/*      */       throws ServiceException
/*      */     {
/*  471 */       soapOnly();
/*      */       
/*  473 */       if (!handler.canAccessEmail(this.mZsc, dl.getName())) {
/*  474 */         throw ServiceException.PERM_DENIED("can not access dl");
/*      */       }
/*      */     }
/*      */     
/*      */     public void checkDynamicGroupRight(AdminDocumentHandler handler, DynamicGroup group, Object needed)
/*      */       throws ServiceException
/*      */     {
/*  481 */       soapOnly();
/*      */       
/*  483 */       if (!handler.canAccessEmail(this.mZsc, group.getName())) {
/*  484 */         throw ServiceException.PERM_DENIED("can not access group");
/*      */       }
/*      */     }
/*      */     
/*      */     public void checkDomainRightByEmail(AdminDocumentHandler handler, String email, AdminRight needed)
/*      */       throws ServiceException
/*      */     {
/*  491 */       soapOnly();
/*      */       
/*  493 */       if (!handler.canAccessEmail(this.mZsc, email)) {
/*  494 */         throw ServiceException.PERM_DENIED("can not access email:" + email);
/*      */       }
/*      */     }
/*      */     
/*      */     public void checkDomainRight(AdminDocumentHandler handler, String domainName, Object needed) throws ServiceException
/*      */     {
/*  500 */       soapOnly();
/*      */       
/*  502 */       if (isDomainAdminOnly()) {
/*  503 */         if (!handler.canAccessDomain(this.mZsc, domainName)) {
/*  504 */           throw ServiceException.PERM_DENIED("can not access domain");
/*      */         }
/*      */         
/*  507 */         if ((needed instanceof Map)) {
/*  508 */           checkModifyAttrs(AttributeClass.domain, (Map)needed);
/*      */         }
/*      */       }
/*      */     }
/*      */     
/*      */     public void checkDomainRight(AdminDocumentHandler handler, Domain domain, Object needed)
/*      */       throws ServiceException
/*      */     {
/*  516 */       soapOnly();
/*      */       
/*      */ 
/*      */ 
/*      */ 
/*  521 */       checkDomainRight(handler, domain.getName(), needed);
/*      */     }
/*      */     
/*      */     public AccessManager.AttrRightChecker getAttrRightChecker(Entry target)
/*      */       throws ServiceException
/*      */     {
/*  527 */       return null;
/*      */     }
/*      */     
/*      */     public AccessManager.AttrRightChecker getAttrRightChecker(Entry target, Set<HardRules.HardRule> ignoreHardRules)
/*      */       throws ServiceException
/*      */     {
/*  533 */       return null;
/*      */     }
/*      */   }
/*      */   
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */   private static class GlobalAccessControl
/*      */     extends AdminAccessControl
/*      */   {
/*      */     private GlobalAccessControl(AccessManager accessMgr, ZimbraSoapContext zsc, AuthToken authToken, Account authedAcct)
/*      */     {
/*  546 */       super(zsc, authToken, authedAcct, null);
/*      */     }
/*      */     
/*      */     public void checkAccountRight(AdminDocumentHandler handler, Account account, Object needed)
/*      */       throws ServiceException
/*      */     {
/*  552 */       soapOnly();
/*      */       
/*  554 */       checkDomainStatus(account);
/*      */       
/*  556 */       Boolean canAccess = handler.canAccessAccountCommon(this.mZsc, account, false);
/*      */       
/*  558 */       if (canAccess == null) {
/*  559 */         throwIfNotAllowed();
/*      */       } else {
/*  561 */         boolean hasRight = canAccess.booleanValue();
/*  562 */         if (!hasRight) {
/*  563 */           throw ServiceException.PERM_DENIED("only global admin is allowed");
/*      */         }
/*      */       }
/*      */     }
/*      */     
/*      */     public void checkCalendarResourceRight(AdminDocumentHandler handler, CalendarResource cr, Object needed)
/*      */       throws ServiceException
/*      */     {
/*  571 */       checkAccountRight(handler, cr, needed);
/*      */     }
/*      */     
/*      */     public void checkCosRight(Cos cos, Object needed) throws ServiceException
/*      */     {
/*  576 */       throwIfNotAllowed();
/*      */     }
/*      */     
/*      */     public void checkDistributionListRight(AdminDocumentHandler handler, DistributionList dl, Object needed)
/*      */       throws ServiceException
/*      */     {
/*  582 */       soapOnly();
/*  583 */       checkDomainStatus(dl);
/*  584 */       throwIfNotAllowed();
/*      */     }
/*      */     
/*      */     public void checkDynamicGroupRight(AdminDocumentHandler handler, DynamicGroup group, Object needed)
/*      */       throws ServiceException
/*      */     {
/*  590 */       soapOnly();
/*  591 */       checkDomainStatus(group);
/*  592 */       throwIfNotAllowed();
/*      */     }
/*      */     
/*      */     public void checkDomainRight(AdminDocumentHandler handler, String domainName, Object needed)
/*      */       throws ServiceException
/*      */     {
/*  598 */       soapOnly();
/*      */       
/*  600 */       Domain domain = Provisioning.getInstance().get(Key.DomainBy.name, domainName);
/*  601 */       if (domain == null) {
/*  602 */         throw ServiceException.PERM_DENIED("no such domain: " + domainName);
/*      */       }
/*  604 */       throwIfNotAllowed();
/*      */     }
/*      */     
/*      */     public void checkDomainRight(AdminDocumentHandler handler, Domain domain, Object needed)
/*      */       throws ServiceException
/*      */     {
/*  610 */       soapOnly();
/*  611 */       throwIfNotAllowed();
/*      */     }
/*      */     
/*      */     public void checkDomainRightByEmail(AdminDocumentHandler handler, String email, AdminRight needed)
/*      */       throws ServiceException
/*      */     {
/*  617 */       soapOnly();
/*      */       
/*  619 */       String domainName = NameUtil.EmailAddress.getDomainNameFromEmail(email);
/*  620 */       Domain domain = Provisioning.getInstance().get(Key.DomainBy.name, domainName);
/*  621 */       if (domain == null) {
/*  622 */         throw AccountServiceException.NO_SUCH_DOMAIN(domainName);
/*      */       }
/*      */       
/*  625 */       checkDomainStatus(domain);
/*  626 */       throwIfNotAllowed();
/*      */     }
/*      */     
/*      */     public void checkModifyAttrs(AttributeClass attrClass, Map<String, Object> attrs)
/*      */       throws ServiceException
/*      */     {
/*  632 */       throwIfNotAllowed();
/*      */     }
/*      */     
/*      */     public boolean hasRight(Entry target, Object needed)
/*      */       throws ServiceException
/*      */     {
/*  638 */       return doCheckRight();
/*      */     }
/*      */     
/*      */     public void checkRight(Entry target, Object needed) throws ServiceException
/*      */     {
/*  643 */       throwIfNotAllowed();
/*      */     }
/*      */     
/*      */     public void checkSetAttrsOnCreate(TargetType targetType, String entryName, Map<String, Object> attrs)
/*      */       throws ServiceException
/*      */     {
/*  649 */       throwIfNotAllowed();
/*      */     }
/*      */     
/*      */     public AccessManager.AttrRightChecker getAttrRightChecker(Entry target)
/*      */       throws ServiceException
/*      */     {
/*  655 */       return new AdminAccessControl.AttributeRightChecker(this, target, null);
/*      */     }
/*      */     
/*      */     public AccessManager.AttrRightChecker getAttrRightChecker(Entry target, Set<HardRules.HardRule> ignoreHardRules)
/*      */       throws ServiceException
/*      */     {
/*  661 */       return getAttrRightChecker(target);
/*      */     }
/*      */     
/*      */     public boolean hasRightsToList(NamedEntry target, AdminRight listRight, Object getAttrRight)
/*      */       throws ServiceException
/*      */     {
/*  667 */       return doCheckRight();
/*      */     }
/*      */     
/*      */     public boolean hasRightsToListCos(Cos target, AdminRight listRight, Object getAttrRight)
/*      */       throws ServiceException
/*      */     {
/*  673 */       return doCheckRight();
/*      */     }
/*      */     
/*      */ 
/*      */     public boolean isSufficientAdminForSoap(Map<String, Object> soapCtxt, DocumentHandler handler)
/*      */     {
/*  679 */       return this.mAuthToken.isAdmin();
/*      */     }
/*      */     
/*      */     public boolean isSufficientAdminForZimletFilterServlet()
/*      */     {
/*  684 */       return this.mAuthToken.isAdmin();
/*      */     }
/*      */     
/*      */ 
/*      */     private void throwIfNotAllowed()
/*      */       throws ServiceException
/*      */     {
/*  691 */       boolean hasRight = doCheckRight();
/*      */       
/*  693 */       if (!hasRight) {
/*  694 */         throw ServiceException.PERM_DENIED("only global admin is allowed");
/*      */       }
/*      */     }
/*      */     
/*      */     private boolean doCheckRight() {
/*  699 */       return this.mAccessMgr.canDo(this.mAuthedAcct, null, null, true);
/*      */     }
/*      */   }
/*      */   
/*      */ 
/*      */ 
/*      */ 
/*      */   private static class ACLAccessControl
/*      */     extends AdminAccessControl
/*      */   {
/*      */     private ACLAccessControl(AccessManager accessMgr, ZimbraSoapContext zsc, AuthToken authToken, Account authedAcct)
/*      */     {
/*  711 */       super(zsc, authToken, authedAcct, null);
/*      */     }
/*      */     
/*      */ 
/*      */     public boolean isSufficientAdminForSoap(Map<String, Object> soapCtxt, DocumentHandler handler)
/*      */     {
/*  717 */       return (this.mAuthToken.isAdmin()) || (this.mAuthToken.isDelegatedAdmin());
/*      */     }
/*      */     
/*      */     public boolean isSufficientAdminForZimletFilterServlet()
/*      */     {
/*  722 */       return (this.mAuthToken.isAdmin()) || (this.mAuthToken.isDelegatedAdmin());
/*      */     }
/*      */     
/*      */     public void checkModifyAttrs(AttributeClass attrClass, Map<String, Object> attrs)
/*      */       throws ServiceException
/*      */     {
/*  728 */       throw ServiceException.FAILURE("internal error", null);
/*      */     }
/*      */     
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */     public void checkSetAttrsOnCreate(TargetType targetType, String entryName, Map<String, Object> attrs)
/*      */       throws ServiceException
/*      */     {
/*  738 */       boolean hasRight = this.mAccessMgr.canSetAttrsOnCreate(this.mAuthedAcct, targetType, entryName, attrs, true);
/*      */       
/*      */ 
/*  741 */       if (!hasRight) {
/*  742 */         throw ServiceException.PERM_DENIED("cannot set attrs");
/*      */       }
/*      */     }
/*      */     
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */     public boolean hasRightsToList(NamedEntry target, AdminRight listRight, Object getAttrRight)
/*      */       throws ServiceException
/*      */     {
/*      */       try
/*      */       {
/*  756 */         checkRight(target, listRight);
/*      */       }
/*      */       catch (ServiceException e)
/*      */       {
/*  760 */         if ("service.PERM_DENIED".equals(e.getCode())) {
/*  761 */           ZimbraLog.acl.warn(getClass().getName() + ": skipping entry " + target.getName() + ": " + e.getMessage());
/*      */           
/*  763 */           return false;
/*      */         }
/*  765 */         throw e;
/*      */       }
/*      */       
/*      */ 
/*      */ 
/*  770 */       if (getAttrRight == null) {
/*  771 */         return true;
/*      */       }
/*      */       
/*  774 */       if (((getAttrRight instanceof Set)) && 
/*  775 */         (((Set)getAttrRight).isEmpty())) {
/*  776 */         ZimbraLog.acl.warn(getClass().getName() + ": skipping entry " + target.getName() + ": " + "non of the requested attrs is valid on the entry");
/*      */         
/*  778 */         return false;
/*      */       }
/*      */       
/*      */       try
/*      */       {
/*  783 */         checkRight(target, getAttrRight);
/*      */       }
/*      */       catch (ServiceException e)
/*      */       {
/*  787 */         if ("service.PERM_DENIED".equals(e.getCode())) {
/*  788 */           ZimbraLog.acl.warn(getClass().getName() + ": skipping entry " + target.getName() + ": " + e.getMessage());
/*      */           
/*  790 */           return false;
/*      */         }
/*  792 */         throw e;
/*      */       }
/*      */       
/*      */ 
/*  796 */       return true;
/*      */     }
/*      */     
/*      */     public boolean hasRightsToListCos(Cos target, AdminRight listRight, Object getAttrRight)
/*      */       throws ServiceException
/*      */     {
/*  802 */       return hasRightsToList(target, listRight, getAttrRight);
/*      */     }
/*      */     
/*      */     public void checkRight(Entry target, Object needed) throws ServiceException
/*      */     {
/*  807 */       if (target == null) {
/*  808 */         target = Provisioning.getInstance().getGlobalGrant();
/*      */       }
/*  810 */       if (!doCheckRight(target, needed)) {
/*  811 */         throw ServiceException.PERM_DENIED(printNeededRight(target, needed));
/*      */       }
/*      */     }
/*      */     
/*      */     public boolean hasRight(Entry target, Object needed) throws ServiceException
/*      */     {
/*  817 */       if (target == null) {
/*  818 */         target = Provisioning.getInstance().getGlobalGrant();
/*      */       }
/*  820 */       return doCheckRight(target, needed);
/*      */     }
/*      */     
/*      */     public void checkCosRight(Cos cos, Object needed) throws ServiceException
/*      */     {
/*  825 */       if (!doCheckRight(cos, needed)) {
/*  826 */         throw ServiceException.PERM_DENIED(printNeededRight(cos, needed));
/*      */       }
/*      */     }
/*      */     
/*      */     public void checkAccountRight(AdminDocumentHandler handler, Account account, Object needed) throws ServiceException
/*      */     {
/*  832 */       soapOnly();
/*      */       
/*  834 */       checkDomainStatus(account);
/*      */       
/*  836 */       Boolean canAccess = handler.canAccessAccountCommon(this.mZsc, account, false);
/*      */       boolean hasRight;
/*  838 */       boolean hasRight; if (canAccess == null) {
/*  839 */         hasRight = doCheckRight(account, needed);
/*      */       } else {
/*  841 */         hasRight = canAccess.booleanValue();
/*      */       }
/*  843 */       if (!hasRight) {
/*  844 */         throw ServiceException.PERM_DENIED(printNeededRight(account, needed));
/*      */       }
/*      */     }
/*      */     
/*      */     public void checkCalendarResourceRight(AdminDocumentHandler handler, CalendarResource cr, Object needed)
/*      */       throws ServiceException
/*      */     {
/*  851 */       soapOnly();
/*      */       
/*  853 */       checkDomainStatus(cr);
/*      */       
/*  855 */       Boolean canAccess = handler.canAccessAccountCommon(this.mZsc, cr, false);
/*      */       boolean hasRight;
/*  857 */       boolean hasRight; if (canAccess == null) {
/*  858 */         hasRight = doCheckRight(cr, needed);
/*      */       } else {
/*  860 */         hasRight = canAccess.booleanValue();
/*      */       }
/*      */       
/*  863 */       if (!hasRight) {
/*  864 */         throw ServiceException.PERM_DENIED(printNeededRight(cr, needed));
/*      */       }
/*      */     }
/*      */     
/*      */     public void checkDistributionListRight(AdminDocumentHandler handler, DistributionList dl, Object needed)
/*      */       throws ServiceException
/*      */     {
/*  871 */       soapOnly();
/*      */       
/*  873 */       checkDomainStatus(dl);
/*      */       
/*  875 */       if (!doCheckRight(dl, needed)) {
/*  876 */         throw ServiceException.PERM_DENIED(printNeededRight(dl, needed));
/*      */       }
/*      */     }
/*      */     
/*      */     public void checkDynamicGroupRight(AdminDocumentHandler handler, DynamicGroup group, Object needed)
/*      */       throws ServiceException
/*      */     {
/*  883 */       soapOnly();
/*      */       
/*  885 */       checkDomainStatus(group);
/*      */       
/*  887 */       if (!doCheckRight(group, needed)) {
/*  888 */         throw ServiceException.PERM_DENIED(printNeededRight(group, needed));
/*      */       }
/*      */     }
/*      */     
/*      */     public void checkDomainRightByEmail(AdminDocumentHandler handler, String email, AdminRight needed)
/*      */       throws ServiceException
/*      */     {
/*  895 */       soapOnly();
/*      */       
/*  897 */       String domainName = NameUtil.EmailAddress.getDomainNameFromEmail(email);
/*  898 */       Domain domain = Provisioning.getInstance().get(Key.DomainBy.name, domainName);
/*  899 */       if (domain == null) {
/*  900 */         throw AccountServiceException.NO_SUCH_DOMAIN(domainName);
/*      */       }
/*      */       
/*  903 */       checkDomainStatus(domain);
/*      */       
/*  905 */       if (!doCheckRight(domain, needed)) {
/*  906 */         throw ServiceException.PERM_DENIED(printNeededRight(domain, needed));
/*      */       }
/*      */     }
/*      */     
/*      */     public void checkDomainRight(AdminDocumentHandler handler, String domainName, Object needed)
/*      */       throws ServiceException
/*      */     {
/*  913 */       soapOnly();
/*      */       
/*  915 */       Domain domain = Provisioning.getInstance().get(Key.DomainBy.name, domainName);
/*  916 */       if (domain == null) {
/*  917 */         throw ServiceException.PERM_DENIED("no such domain: " + domainName);
/*      */       }
/*      */       
/*  920 */       if (!doCheckRight(domain, needed)) {
/*  921 */         throw ServiceException.PERM_DENIED(printNeededRight(domain, needed));
/*      */       }
/*      */     }
/*      */     
/*      */     public void checkDomainRight(AdminDocumentHandler handler, Domain domain, Object needed)
/*      */       throws ServiceException
/*      */     {
/*  928 */       soapOnly();
/*      */       
/*  930 */       if (!doCheckRight(domain, needed)) {
/*  931 */         throw ServiceException.PERM_DENIED(printNeededRight(domain, needed));
/*      */       }
/*      */     }
/*      */     
/*      */ 
/*      */     public AccessManager.AttrRightChecker getAttrRightChecker(Entry target)
/*      */       throws ServiceException
/*      */     {
/*  939 */       return new AdminAccessControl.AttributeRightChecker(this, target, null);
/*      */     }
/*      */     
/*      */     public AccessManager.AttrRightChecker getAttrRightChecker(Entry target, Set<HardRules.HardRule> ignoreHardRules)
/*      */       throws ServiceException
/*      */     {
/*      */       try
/*      */       {
/*  947 */         return getAttrRightChecker(target);
/*      */       } catch (ServiceException e) {
/*  949 */         if ("service.PERM_DENIED".equals(e.getCode())) {
/*  950 */           HardRules.HardRule violatedRule = HardRules.HardRule.ruleVolated(e);
/*  951 */           if (ignoreHardRules.contains(violatedRule))
/*      */           {
/*  953 */             new AccessManager.AttrRightChecker()
/*      */             {
/*      */               public boolean allowAttr(String attrName) {
/*  956 */                 return false;
/*      */               }
/*      */             };
/*      */           }
/*      */         }
/*      */         
/*      */ 
/*  963 */         throw e;
/*      */       }
/*      */     }
/*      */     
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */     private boolean doCheckRight(Entry target, Object needed)
/*      */       throws ServiceException
/*      */     {
/*  983 */       if ((needed instanceof AdminRight)) {
/*  984 */         AdminRight adminRight = (AdminRight)needed;
/*  985 */         if (adminRight.isPresetRight())
/*  986 */           return this.mAccessMgr.canDo(this.mAuthedAcct, target, (AdminRight)needed, true, null);
/*  987 */         if (adminRight.isAttrRight()) {
/*  988 */           if (adminRight.getRightType() == Right.RightType.getAttrs) {
/*  989 */             return this.mAccessMgr.canGetAttrs(this.mAuthedAcct, target, ((AttrRight)needed).getAttrs(), true);
/*      */           }
/*  991 */           if (adminRight.getRightType() == Right.RightType.setAttrs)
/*      */           {
/*  993 */             return this.mAccessMgr.canSetAttrs(this.mAuthedAcct, target, ((AttrRight)needed).getAttrs(), true);
/*      */           }
/*      */         }
/*      */         
/*  997 */         throw ServiceException.FAILURE("internal error", null);
/*      */       }
/*  999 */       if ((needed instanceof Set))
/* 1000 */         return this.mAccessMgr.canGetAttrs(this.mAuthedAcct, target, (Set)needed, true);
/* 1001 */       if ((needed instanceof Map))
/*      */       {
/* 1003 */         return this.mAccessMgr.canSetAttrs(this.mAuthedAcct, target, (Map)needed, true); }
/* 1004 */       if ((needed instanceof AdminAccessControl.DynamicAttrsRight)) {
/* 1005 */         AdminAccessControl.DynamicAttrsRight dar = (AdminAccessControl.DynamicAttrsRight)needed;
/* 1006 */         return dar.checkRight(this.mAccessMgr, this.mAuthedAcct, target);
/*      */       }
/* 1008 */       throw ServiceException.FAILURE("internal error", null);
/*      */     }
/*      */     
/*      */     private String printNeededRight(Entry target, Object needed) throws ServiceException
/*      */     {
/* 1013 */       if (((needed instanceof AdminRight)) && (AdminRight.PR_SYSTEM_ADMIN_ONLY == (AdminRight)needed)) {
/* 1014 */         return "Only system admins are allowed.";
/*      */       }
/*      */       String targetInfo;
/*      */       String targetInfo;
/* 1018 */       if (PseudoTarget.isPseudoEntry(target)) {
/* 1019 */         targetInfo = ""; } else { String targetInfo;
/* 1020 */         if ((target instanceof Alias)) {
/* 1021 */           targetInfo = " for alias " + target.getLabel();
/*      */         } else {
/* 1023 */           targetInfo = " for " + TargetType.getTargetType(target).name() + " " + target.getLabel();
/*      */         }
/*      */       }
/* 1026 */       if ((needed instanceof AdminRight))
/* 1027 */         return "need right: " + ((AdminRight)needed).getName() + targetInfo;
/* 1028 */       if ((needed instanceof Set))
/* 1029 */         return "cannot get attrs on " + targetInfo;
/* 1030 */       if ((needed instanceof Map)) {
/* 1031 */         return "cannot set attrs on " + targetInfo;
/*      */       }
/* 1033 */       throw ServiceException.FAILURE("internal error", null);
/*      */     }
/*      */   }
/*      */   
/*      */ 
/*      */ 
/*      */ 
/*      */   public static abstract class BulkRightChecker
/*      */     implements NamedEntry.CheckRight
/*      */   {
/*      */     protected AdminAccessControl mAC;
/*      */     
/*      */ 
/*      */ 
/*      */     protected Provisioning mProv;
/*      */     
/*      */ 
/*      */     RightCommand.AllEffectiveRights mAllEffRights;
/*      */     
/*      */ 
/*      */     private Map<Right, Set<HardRules.HardRule>> mIgnoreHardRules;
/*      */     
/*      */ 
/*      */ 
/*      */     public BulkRightChecker(AdminAccessControl accessControl, Provisioning prov)
/*      */       throws ServiceException
/*      */     {
/* 1060 */       this.mAC = accessControl;
/* 1061 */       this.mProv = (prov == null ? Provisioning.getInstance() : prov);
/*      */     }
/*      */     
/*      */     protected void setIgnoreHardRules(Map<Right, Set<HardRules.HardRule>> ignoreHardRuleViolation) throws ServiceException
/*      */     {
/* 1066 */       this.mIgnoreHardRules = ignoreHardRuleViolation;
/*      */     }
/*      */     
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */     protected boolean allowAll()
/*      */     {
/* 1087 */       return AccessControlUtil.isGlobalAdmin(this.mAC.mAuthedAcct, true);
/*      */     }
/*      */     
/*      */ 
/*      */     protected boolean hasRight(NamedEntry target, AdminRight rightNeeded)
/*      */       throws ServiceException
/*      */     {
/* 1094 */       if ((this.mAC instanceof AdminAccessControl.ACLAccessControl)) {
/* 1095 */         return hasRightImplBulk(target, rightNeeded);
/*      */       }
/*      */       
/* 1098 */       return hasRightImplBulkDefault(target, rightNeeded);
/*      */     }
/*      */     
/*      */     private boolean hasRightImplBulkDefault(NamedEntry target, AdminRight rightNeeded)
/*      */       throws ServiceException
/*      */     {
/*      */       try
/*      */       {
/* 1106 */         this.mAC.checkRight(target, rightNeeded);
/* 1107 */         return true;
/*      */       }
/*      */       catch (ServiceException e) {}
/*      */       
/* 1111 */       return false;
/*      */     }
/*      */     
/*      */     private boolean hasRightImplBulk(NamedEntry target, AdminRight rightNeeded) throws ServiceException
/*      */     {
/*      */       try
/*      */       {
/* 1118 */         Boolean hardRulesResult = HardRules.checkHardRules(this.mAC.mAuthedAcct, true, target, rightNeeded);
/*      */         
/* 1120 */         if (hardRulesResult != null) {
/* 1121 */           return hardRulesResult.booleanValue();
/*      */         }
/*      */       }
/*      */       catch (ServiceException e)
/*      */       {
/* 1126 */         if ("service.PERM_DENIED".equals(e.getCode())) {
/* 1127 */           boolean violatedIgnoredHardRule = false;
/*      */           
/* 1129 */           if (this.mIgnoreHardRules != null) {
/* 1130 */             Set<HardRules.HardRule> ignoreRules = (Set)this.mIgnoreHardRules.get(rightNeeded);
/* 1131 */             if (ignoreRules != null) {
/* 1132 */               HardRules.HardRule violatedRule = HardRules.HardRule.ruleVolated(e);
/* 1133 */               if (ignoreRules.contains(violatedRule)) {
/* 1134 */                 violatedIgnoredHardRule = true;
/*      */               }
/*      */             }
/*      */           }
/*      */           
/* 1139 */           if (violatedIgnoredHardRule)
/*      */           {
/* 1141 */             ZimbraLog.acl.debug(getClass().getName() + ": not skipping entry " + target.getName() + ": " + e.getMessage());
/*      */           }
/*      */           else {
/* 1144 */             ZimbraLog.acl.warn(getClass().getName() + ": skipping entry " + target.getName() + ": " + e.getMessage());
/*      */             
/* 1146 */             return false;
/*      */           }
/*      */         } else {
/* 1149 */           throw e;
/*      */         }
/*      */       }
/*      */       
/* 1153 */       if (this.mAllEffRights == null) {
/* 1154 */         this.mAllEffRights = this.mProv.getAllEffectiveRights(GranteeType.GT_USER.getCode(), GranteeSelector.GranteeBy.id, this.mAC.mAuthedAcct.getId(), false, false);
/*      */       }
/*      */       
/*      */ 
/*      */ 
/* 1159 */       TargetType targetType = rightNeeded.getTargetType();
/*      */       
/* 1161 */       RightCommand.RightsByTargetType rbtt = (RightCommand.RightsByTargetType)this.mAllEffRights.rightsByTargetType().get(targetType);
/*      */       
/*      */ 
/* 1164 */       if ((rbtt == null) || (rbtt.hasNoRight())) {
/* 1165 */         return false;
/*      */       }
/*      */       
/*      */ 
/*      */ 
/*      */ 
/* 1171 */       String targetName = target.getName();
/* 1172 */       for (RightCommand.RightAggregation rightsByEntries : rbtt.entries()) {
/* 1173 */         if (rightsByEntries.entries().contains(targetName)) {
/* 1174 */           RightCommand.EffectiveRights effRights = rightsByEntries.effectiveRights();
/* 1175 */           return hasRightBulk(effRights, target, rightNeeded);
/*      */         }
/*      */       }
/*      */       
/*      */ 
/* 1180 */       String targetDomainName = TargetType.getTargetDomainName(this.mProv, target);
/* 1181 */       if ((targetDomainName != null) && 
/* 1182 */         ((rbtt instanceof RightCommand.DomainedRightsByTargetType))) {
/* 1183 */         RightCommand.DomainedRightsByTargetType domainedRights = (RightCommand.DomainedRightsByTargetType)rbtt;
/*      */         
/* 1185 */         for (RightCommand.RightAggregation rightsByDomains : domainedRights.domains()) {
/* 1186 */           if (rightsByDomains.entries().contains(targetDomainName)) {
/* 1187 */             RightCommand.EffectiveRights effRights = rightsByDomains.effectiveRights();
/* 1188 */             return hasRightBulk(effRights, target, rightNeeded);
/*      */           }
/*      */         }
/*      */       }
/*      */       
/*      */ 
/*      */ 
/* 1195 */       RightCommand.EffectiveRights er = rbtt.all();
/* 1196 */       if (hasRightBulk(er, target, rightNeeded)) {
/* 1197 */         return true;
/*      */       }
/*      */       
/* 1200 */       return false;
/*      */     }
/*      */     
/*      */     private boolean hasRightBulk(RightCommand.EffectiveRights effRights, NamedEntry target, AdminRight rightNeeded)
/*      */     {
/* 1205 */       if (effRights == null) {
/* 1206 */         return false;
/*      */       }
/* 1208 */       List<String> presetRights = effRights.presetRights();
/* 1209 */       return (presetRights != null) && (presetRights.contains(rightNeeded.getName()));
/*      */     }
/*      */     
/*      */ 
/*      */ 
/*      */     public abstract boolean allow(NamedEntry paramNamedEntry)
/*      */       throws ServiceException;
/*      */   }
/*      */   
/*      */ 
/*      */   public static class SearchDirectoryRightChecker
/*      */     extends AdminAccessControl.BulkRightChecker
/*      */   {
/*      */     protected boolean mAllowAll;
/*      */     
/*      */ 
/*      */     public SearchDirectoryRightChecker(AdminAccessControl accessControl, Provisioning prov, Set<String> reqAttrs)
/*      */       throws ServiceException
/*      */     {
/* 1228 */       super(prov);
/*      */       
/* 1230 */       Map<Right, Set<HardRules.HardRule>> ignoreHardRules = Maps.newHashMap();
/* 1231 */       ignoreHardRules.put(Rights.Admin.R_listAccount, EnumSet.of(HardRules.HardRule.DELEGATED_ADMIN_CANNOT_ACCESS_GLOBAL_ADMIN));
/*      */       
/* 1233 */       ignoreHardRules.put(Rights.Admin.R_listCalendarResource, EnumSet.of(HardRules.HardRule.DELEGATED_ADMIN_CANNOT_ACCESS_GLOBAL_ADMIN));
/*      */       
/* 1235 */       setIgnoreHardRules(ignoreHardRules);
/*      */       
/* 1237 */       this.mAllowAll = allowAll();
/*      */     }
/*      */     
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */     private boolean hasRightsToListDanglingAlias(Alias alias)
/*      */       throws ServiceException
/*      */     {
/* 1252 */       return this.mAC.hasRightsToList(alias, AdminRight.PR_SYSTEM_ADMIN_ONLY, null);
/*      */     }
/*      */     
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */     private boolean hasRightsToListAlias_old(Alias alias)
/*      */       throws ServiceException
/*      */     {
/* 1262 */       NamedEntry aliasTarget = alias.getTarget(this.mProv);
/*      */       boolean hasRight;
/* 1264 */       boolean hasRight; if (aliasTarget == null) {
/* 1265 */         hasRight = hasRightsToListDanglingAlias(alias);
/*      */       } else {
/* 1267 */         hasRight = allow(aliasTarget);
/*      */       }
/* 1269 */       return hasRight;
/*      */     }
/*      */     
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */     private boolean hasRightsToListAlias(Alias alias)
/*      */       throws ServiceException
/*      */     {
/* 1280 */       Domain domain = this.mProv.getDomain(alias);
/* 1281 */       if (domain == null) {
/* 1282 */         return false;
/*      */       }
/* 1284 */       return hasRight(domain, Rights.Admin.R_listAlias);
/*      */     }
/*      */     
/*      */     private AdminRight needRight(NamedEntry entry) throws ServiceException {
/* 1288 */       if ((entry instanceof CalendarResource))
/* 1289 */         return Rights.Admin.R_listCalendarResource;
/* 1290 */       if ((entry instanceof Account))
/* 1291 */         return Rights.Admin.R_listAccount;
/* 1292 */       if ((entry instanceof DistributionList))
/* 1293 */         return Rights.Admin.R_listDistributionList;
/* 1294 */       if ((entry instanceof DynamicGroup))
/* 1295 */         return Rights.Admin.R_listGroup;
/* 1296 */       if ((entry instanceof Domain))
/* 1297 */         return Rights.Admin.R_listDomain;
/* 1298 */       if ((entry instanceof Cos)) {
/* 1299 */         return Rights.Admin.R_listCos;
/*      */       }
/* 1301 */       return null;
/*      */     }
/*      */     
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */     public boolean allow(NamedEntry entry)
/*      */       throws ServiceException
/*      */     {
/* 1311 */       if (this.mAllowAll) {
/* 1312 */         return true;
/*      */       }
/*      */       
/* 1315 */       if ((entry instanceof Alias)) {
/* 1316 */         return hasRightsToListAlias((Alias)entry);
/*      */       }
/* 1318 */       AdminRight listRightNeeded = needRight(entry);
/* 1319 */       if (listRightNeeded != null) {
/* 1320 */         return hasRight(entry, listRightNeeded);
/*      */       }
/* 1322 */       return false;
/*      */     }
/*      */     
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */     public List<NamedEntry> getAllowed(List<NamedEntry> entries, int maxEntries)
/*      */       throws ServiceException
/*      */     {
/* 1334 */       List<NamedEntry> allowedEntries = Lists.newArrayListWithExpectedSize(entries.size());
/* 1335 */       for (int i = 0; i < entries.size(); i++) {
/* 1336 */         NamedEntry entry = (NamedEntry)entries.get(i);
/* 1337 */         if (allow(entry)) {
/* 1338 */           allowedEntries.add(entry);
/*      */         }
/* 1340 */         if (allowedEntries.size() >= maxEntries) {
/*      */           break;
/*      */         }
/*      */       }
/* 1344 */       return allowedEntries;
/*      */     }
/*      */     
/*      */ 
/*      */ 
/*      */     @Deprecated
/*      */     public List getAllowed(List entries)
/*      */       throws ServiceException
/*      */     {
/* 1353 */       return getAllowed(entries, entries.size());
/*      */     }
/*      */   }
/*      */   
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */   static class AttributeRightChecker
/*      */     implements AccessManager.AttrRightChecker
/*      */   {
/*      */     private final AccessManager.AttrRightChecker mRightChecker;
/*      */     
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */     private AttributeRightChecker(AdminAccessControl accessControl, Entry target)
/*      */       throws ServiceException
/*      */     {
/* 1374 */       this.mRightChecker = accessControl.mAccessMgr.getGetAttrsChecker(accessControl.mAuthedAcct, target, true);
/*      */     }
/*      */     
/*      */ 
/*      */     public boolean allowAttr(String attrName)
/*      */     {
/* 1380 */       return this.mRightChecker.allowAttr(attrName);
/*      */     }
/*      */   }
/*      */   
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */   public static abstract class DynamicAttrsRight
/*      */   {
/*      */     abstract boolean checkRight(AccessManager paramAccessManager, Account paramAccount, Entry paramEntry)
/*      */       throws ServiceException;
/*      */   }
/*      */   
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */ 
/*      */   public static class GetAttrsRight
/*      */     extends AdminAccessControl.DynamicAttrsRight
/*      */   {
/* 1409 */     private final Set<String> mAttrs = new HashSet();
/*      */     
/*      */     public void addAttr(String attrName) {
/* 1412 */       this.mAttrs.add(attrName);
/*      */     }
/*      */     
/*      */     boolean checkRight(AccessManager am, Account authedAcct, Entry target)
/*      */       throws ServiceException
/*      */     {
/* 1418 */       return am.canGetAttrs(authedAcct, target, this.mAttrs, true);
/*      */     }
/*      */   }
/*      */   
/*      */ 
/*      */   public static class SetAttrsRight
/*      */     extends AdminAccessControl.DynamicAttrsRight
/*      */   {
/* 1426 */     private final Set<String> mAttrs = new HashSet();
/*      */     
/*      */     public void addAttr(String attrName) {
/* 1429 */       this.mAttrs.add(attrName);
/*      */     }
/*      */     
/*      */     boolean checkRight(AccessManager am, Account authedAcct, Entry target)
/*      */       throws ServiceException
/*      */     {
/* 1435 */       return am.canSetAttrs(authedAcct, target, this.mAttrs, true);
/*      */     }
/*      */   }
/*      */   
/*      */   public static class SetAttrsRightWithConstraintChecking extends AdminAccessControl.DynamicAttrsRight {
/* 1440 */     private final Map<String, Object> mAttrs = new HashMap();
/*      */     
/*      */     public void addAttr(String attrName, Object attrValue) {
/* 1443 */       this.mAttrs.put(attrName, attrValue);
/*      */     }
/*      */     
/*      */     boolean checkRight(AccessManager am, Account authedAcct, Entry target)
/*      */       throws ServiceException
/*      */     {
/* 1449 */       return am.canSetAttrs(authedAcct, target, this.mAttrs, true);
/*      */     }
/*      */   }
/*      */ }


/* Location:              /home/mint/zimbrastore.jar!/com/zimbra/cs/service/admin/AdminAccessControl.class
 * Java compiler version: 7 (51.0)
 * JD-Core Version:       0.7.1
 */